Cyber Peace & Security Monitor, Vol.1, No. 7
Cyber security—a team sport
18 February 2020
The second substantive session of the UN’s Open-ended working group (OEWG) on developments in the field of information and telecommunications in the context of international security was replete with analogies, inside jokes, and catch phrases covering everything from handwashing to weakest links. Yet the one that resonates the most is the notion of cyber security as a team sport. While this was first articulated in reference to the inclusion and role of non-governmental stakeholders at the OEWG and more practically in cyber security activities, the analogy has applicability for the Group as a whole—and with its Chair as the referee, as one state joked in its closing remarks. If member states can “play” together as a team through the final stretch and agree on a consensus report with good substance, then everyone wins, because there will be benefits for the international community. If members of the team start missing passes from their teammates, running the other way, or incurring penalties for bad behaviour—then we all lose out.
Multiplicities of views
Coming off of the second session, the team spirit feels strong. On-going positive dynamics, engaging leadership, and an ever-growing number of substantive proposals have managed to transform a process with an auspicious beginning into something that might just deliver on practical outcomes that could improve international cyber security in fundamental ways.
This is not to say that there are not differences in positions. There are, and significant ones at that. The largest discrepancies are clearly in the area of law, and in the context of norms and principles. The vast majority of states affirm that international law, especially the UN Charter, applies to state behaviour in cyber space—but there are a few outliers, particularly to point that that international humanitarian law (IHL) applies. Differences exist regarding the voluntary norms for state behaviour that were agreed by a UN Group of Governmental Experts (GGE) in 2015 and later adopted by the entire UN membership. Most states defend the existing norms as an important baseline and point to a lack of their implementation as the problem in stopping digital threats. Others feel that the norms don’t speak to certain national or regional realities or that new ones are needed, a view supported by some civil society groups and international organisations. Some believe the voluntary status of the norms is insufficient to impact behaviour.
Relatedly, some countries have called in past for a legally binding instrument, or a “cyber treaty” and have indicated that the OEWG should be laying the groundwork for its negotiation. As that appears unlikely at this juncture, frustration on this point could lead to resistance on other aspects of the report. There were rumours throughout this session of a pending working paper from the Non-Aligned Movement that (reportedly) contained proposals for the OEWG to endorse work on a cyber treaty, among other things. This is a point which right now is supported by a minority of states on the floor, but if passed within the bloc—even if it goes against the stated national positions of some of its members—then those proposals would enjoy a numerical advantage, and be harder to not account for in a final report and push the issue to the fore.
That aside, a temporary work-around to accommodate these different perspectives on legal and normative aspects could be to agree that while the 2015 norms are an agreed baseline and should be maintained, they do require some unpacking, better promotion, or maybe even some minor tweaking to be impactful in different contexts. An agreement in the report to allocate time, and resources, to do that as a first step before attempting to negotiate new norms, or a treaty, might temporarily allay frustrations and also serve to reveal where the real gaps are among the norms. The same could be said for international law, in that a blanket statement about its applicability can sound daunting. Initiatives like the Australian case studies which illustrate in more detail which laws apply in what contexts, and how, are useful both politically and practically. The suggestion for the OEWG to recommend that member states share how they interpret international law in this regard, or apply the norms, would be a solid first step, as is a forthcoming Mexican proposal to invite the International Law Commission to undertake an impartial and complementary study in this regard.
Differences of opinion on the way forward, as addressed under the topic of “regular institutional dialogue,” were more pronounced in this second session. Russia, with support from others, has proposed extending the OEWG into the future. Some states, like Estonia, expressed reservations about doing this or establishing any dialogue platform, given the multiplicity of other normative fora on international cyber security that exist within, and beyond, the UN. Several other states, like Canada, New Zealand, and Finland, among others, expressed they are open to the establishment of “something” but it’s too soon to know the form it should take, and functions need to first be delineated. This isn’t necessarily problematic but outlining the functions of a new OEWG could be something for its supporters to then prioritise, given the time remaining in the process. Apart from a future dialogue platform, there were multiple suggestions for bodies and mechanisms that could be established to support work across any of the six topics. Ideas floated so far range from a mechanism to improve global coordination of capacity building and matching resources, to a follow-up implementation mechanism. Involving relevant stakeholders in this work was expressed as an important pre-requisite to success by many governments, many of whom also spoke out against non-ECOSOC organisations having been blocked from attending this session.
The areas of agreement are largely found in the discussions about the threat landscape, and in relation to confidence and capacity building. For example, many states are encouraging better global coordination of capacity building efforts and recognise the importance of building from existing regional initiatives, which also applies to confidence building measures (CBMs); and agree that capacity building should be politically neutral and guided by widely accepted principles—the elaboration of which could be a future task for a future OEWG or other body. These and other aspects of the conversation are outlined in the News in Brief section of this edition, as are the numerous other concrete ideas proposed across all the six topics.
Since the first substantive session in September, there is ever-growing support for a human-centric approach to international cyber security, possibly buoyed along by inputs of this nature from many non-governmental stakeholders during the informal meeting in December. It has been particularly encouraging to hear more states articulating that there is a role for human rights within discussions on international cyber security and a sense that while the OEWG focuses on state behaviour, the impact of that behaviour on people, and their rights, cannot be overlooked. A new statement from the Freedom Online Coalition that was referenced often in this second session has helped to elaborate on the human rights-based approach to cybersecurity in conjunction with other resources from civil society groups.
Yet this is not a universal sentiment with some viewing this as beyond the purview of the OEWG and the UN General Assembly’s First Committee, despite a track record of humanitarian disarmament initiatives within the Committee and a 2015 norm on human rights. This may be a point that becomes challenging to agree on in the report.
In its remarks to the second session, WILPF encouraged states to think more concretely about what human-centric means practically and advocated that a gendered approach would be central to that. As reported on separately in this edition, numerous states have indicated in their statements that the OEWG must take gender into account in its final report, possibly through recommendations on participation and representation, or to find synergy with national action plans on Women, Peace and Security, or in accounting for gender-differentiated impacts of cyber operations and incidents.
WILPF, along with ICT4Peace, also spoke to the question posed by the Chair about if the OEWG could ask members states “to unilaterally declare to refrain from militarisation/offensive use of ICTs?” There hasn’t been an honest conversation in the OEWG, or anywhere, about the proliferation of states with offensive cyber capabilities and policies. It’s something has been happening slowly in the last few years, and as WILPF noted, it sometimes feels as if that the international community has given up on trying to prevent the militarisation of cyber space and is rather focused on outlining how to do damage control by focusing on responsible state behaviour and rules of the road. Some states speak out against militarisation in their statements—but some of them are known to have run significant offensive operations. In the second session, countries like Denmark, Australia, and the United Kingdom outlined their reasons for going this route, which included the precision that a cyber operation can offer as well as feeling incentivised to pursue an offensive capability or policy because other countries have. Their frankness and uptake on this point was welcome in lieu of prior non-engagement; but more discussion and holding to account on this point is needed within the OEWG process, and the outside world.
The next round
The OEWG is fast approaching a turning point as the Chair will now develop a pre-draft of the final report that must be agreed by consensus at the third and final session in July.
The final report will be structured in a way to indicate areas of agreement; areas of disagreement; and then recommendations and conclusions under each of the six substantive topics that the OEWG considers. This format should be palatable for most because it leaves space to show all views when there is not agreement. The Chair reminded delegates that while the report will be organised under the six topics, these different sections are connected and impact one another.
This is often where even the most positive processes can turn ugly or become difficult. Given the breakdown of multilateralism in so many other security forums and recent late-night negotiations in processes on small arms and autonomous weapons, hoping for the adoption of a strong report without controversy can feel naïve. The problem with consensus-based decision making is that it only takes one spoiler to bring down a meeting and derail progress.
Yet, the genuine goodwill and efforts to listen to one another are real. As more than a few delegations have stressed, “Let’s focus on the 80 per cent of things where we have agreement, rather than the 20 per cent where we do not.”
Since the first session, most member states have urged one another to focus on practical, specific, and achievable outcomes rather than trying to tackle the more politically challenging questions that have deadlocked other UN bodies on this subject. If the OEWG could make concrete recommendations in the areas of CBMs or confidence building or help to advance shared understanding on legal or normative interpretations, then those are successes that can help advance resilience and security in real ways.
“The urgency is real, and is felt by everyone around the world,” Ambassador Lauber, the OEWG Chair reflected as he closed the session.
Apt words as this team advances into the next round.